Privacy Policy

CostBasis (“we”, “us”, “our”) operates a crypto tax calculation service for Bitcoin and Ethereum holders. This Privacy Policy explains what information we collect, how we use it, with whom we share it, and how we protect it. By using the Service, you agree to the practices described here.

Account information

When you sign up, we collect your name and email address via Clerk, our authentication provider. We also store a unique user identifier linked to your Clerk account.

Exchange credentials

If you connect a cryptocurrency exchange (Coinbase, Binance, or Kraken), we store your API key and API secret. These credentials are encrypted at rest using AES-256-GCM before being written to the database. We never store them in plaintext or log them. We use these credentials only to fetch your transaction history on your behalf.

Wallet addresses

If you import a Bitcoin or Ethereum wallet, we store the public wallet address you provide. Public wallet addresses carry no spending authority. We never ask for private keys or seed phrases.

Transaction history

We retrieve and store your cryptocurrency transaction history (amounts, timestamps, transaction hashes, counterparty addresses) from connected exchanges and public blockchains. This data is necessary to calculate cost basis and generate tax reports.

Payment information

Subscription payments are processed by Stripe. We do not store full card numbers or CVV codes. We store a Stripe customer ID and subscription status to manage your billing.

Usage and error data

We use Sentry for error monitoring. Sentry may capture stack traces and request metadata when errors occur. We configure Sentry to exclude sensitive fields such as API keys and transaction data.

• To provide and operate the Service
• To import and process your transaction history and calculate cost basis
• To generate tax reports (Form 8949, Schedule D)
• To process payments and manage your subscription
• To send transactional emails (sync confirmations, billing receipts)
• To diagnose errors and improve the Service
• To comply with legal obligations

We do not use your financial data for advertising, profiling, or any purpose other than providing the Service to you.

We do not sell, rent, or trade your personal information. We share data only with the service providers listed below, solely to the extent necessary to operate the Service.

We may disclose information if required by law, court order, or valid legal process, or to protect the rights, safety, or property of CostBasis or others.

The following third-party services process data on our behalf:

Exchange API keys are encrypted at rest using AES-256-GCM before storage. All data in transit is protected by TLS. Database connections use SSL. We use role-based access controls and do not expose administrative interfaces publicly.

No method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but take reasonable measures to protect your data.

We retain your account data, transaction history, and cost basis records for as long as your account is active or as needed to provide the Service. Tax records may be retained for up to 7 years to align with standard IRS audit windows.

When you delete your account, we will delete or anonymize your personal data within 30 days, subject to any legal retention obligations.

Depending on your location, you may have rights regarding your personal data, including:

• Access — request a copy of the data we hold about you
• Correction — request that inaccurate data be corrected
• Deletion — request deletion of your account and associated data
• Portability — request your transaction data in a machine-readable format

To exercise these rights, email privacy@costbasis.tax. We will respond within 30 days.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

We may update this Privacy Policy periodically. Material changes will be communicated by email or notice in the Service at least 14 days before taking effect. The updated policy will be posted at this URL with a revised effective date.

Questions or concerns about this Privacy Policy? Email us at privacy@costbasis.tax.